- A security researcher has reported almost 7 incidents that saw data exposure of millions of Chinese job seekers’ resumes due to misconfigured databases.
- This indicates that Chinese HR firms are not taking the security of their servers seriously.
What is the issue - Several HR companies in China have exposed over 590 million resumes in the past 3 months due to unprotected databases.
The big picture
A security researcher and a member of the GDI Foundation Sanyam Jain has reported almost 7 incidents that saw data exposure of millions of Chinese job seekers’ resumes due to misconfigured databases.
- In the first incident, a misconfigured ElasticSearch sever exposed almost 33 million Chinese jobseekers’ resumes. The leaky database was discovered on March 10, 2019, and was secured 4 days after Jain reported the issue to CNCERT.
- On March 13, 2019, Jain found the second misconfigured ElasticSearch server that contained 84.8 million resumes. This server was also secured with the help of CNCERT.
- On March 15, 2019, Jain uncovered yet another misconfigured ElasticSearch server that contained 93 million resumes.
- The fourth unsecured ElasticSearch server discovered by Jain contained 9 million resumes.
- The fifth server holds a whopping 129 million resumes and is still available online. Jain couldn't secure the server as he’s unable to identify the owner of the database.
- The sixth and seventh server holds 180,000 and 17,000 resumes respectively.
Continued data leaks
Apart from these, another security researcher Bob Diachenko uncovered an unprotected database on April 02, 2019. This leaky database contains almost 20.5 million CVs.
“20,591,134 Chinese CVs with pretty detailed information appeared on a leaky server at some point last week. Quickly taken down by CERT after notification but I think this data might have landed in wrong hands already. Not sure if this is same data reported in Jan,” Diachenko tweeted.
The bottom line
Totaling all the exposed resumes from the above-mentioned databases, the exposed resumes now stands at a whopping 590.47 million. This indicates that Chinese HR firms are not taking the security of their servers seriously.